-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Helm chart, development documentation, namespace control (#4)
* Adding helm chart, adding documentation on testing with kind, delete the examples dir since helm takes care of what it was trying to accomplish * Readme formatting * Additional next steps
- Loading branch information
1 parent
5f303b7
commit 546a65a
Showing
18 changed files
with
345 additions
and
85 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,38 +1,107 @@ | ||
# Bitwarden Secrets Manager kopf k8s Operator | ||
# Bitwarden Secrets Manager Operator | ||
|
||
The intent of this project is to create an operator that will sync secrets from bitwarden secrets manager to a cluster's secrets. | ||
|
||
## Usage | ||
## Usage & Installation | ||
|
||
### Prerequisites | ||
|
||
#### Required Packages | ||
|
||
The deployment mechanism used for project is helm. [Helm will need to be installed](https://helm.sh/docs/intro/install/). | ||
|
||
#### Bitwarden Secrets Manager Secret Deployment | ||
|
||
It is assumed that you have a secret that is usable by the bitwarden secrets manager CLI | ||
to authenticate to the bitwarden secrets manager service. Instruction on how to create this secret | ||
can be found [here](https://bitwarden.com/help/access-tokens/). | ||
|
||
Here is an example manifest of the secret using the default values within the helm chart. | ||
|
||
```yaml | ||
--- | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: bwsm-sa-token | ||
namespace: MyNamespace | ||
stringData: | ||
.secretAccessToken: MyVeryLongAndSecureSecret | ||
``` | ||
As with any secret please be careful and judicious on where you store this. | ||
You may deploy this secret prior to the helm installation, or you can apply it after the helm installation. | ||
### Installation | ||
```bash | ||
# Configure reused variables | ||
DOCKER_REPOSITORY=REPLACEME | ||
CONTAINER_NAME=bwsm_k8s_operator | ||
CONTAINER_VERSION=latest | ||
|
||
# Build container, replace | ||
docker build . -t $DOCKER_REPOSITORY/$CONTAINER_NAME:$CONTAINER_VERSION | ||
|
||
# Push to registry | ||
docker push $DOCKER_REPOSITORY/$CONTAINER_NAME:$CONTAINER_VERSION | ||
|
||
# Kubectl apply the shell operator configured for bwsm | ||
##### NOTE!!!!! ##### | ||
##### You will need to update the shell-operator.yaml with the container image you pushed ##### | ||
##### You will also need to provide the secret token for the service account in the bws_secret.yaml ##### | ||
kubectl apply -f ./examples/ | ||
|
||
# Kubectl apply a test secret | ||
##### NOTE!!!!! ##### | ||
##### You will need to replace the definition with a secret's UUID from bitwarden secrets manager | ||
kubectl apply -f ./test/ | ||
|
||
# View logs and check the secret was created | ||
kubectl -n shell-operator get pods | ||
kubectl -n shell-operator logs POD_NAME -f | ||
kubectl get secrets | ||
helm upgrade MyRelease ./charts/bitwarden_secrets_manager_operator/ \ | ||
-f /path/to/values.yaml --namespace MyNamespace \ | ||
--create-namespace --install | ||
``` | ||
|
||
### Clean Up | ||
|
||
```bash | ||
helm delete MyRelease | ||
``` | ||
|
||
## Development | ||
|
||
TBD - Currently to test I build and push the container to a on prem server. | ||
### Prerequisites | ||
|
||
[Kind](https://github.com/kubernetes-sigs/kind) is required for development of this operator, see [installation instructions](https://kind.sigs.k8s.io/docs/user/quick-start/#installation). | ||
|
||
### Instructions | ||
|
||
```bash | ||
# Create the kind cluster | ||
kind create cluster | ||
|
||
# Verify Context | ||
kubectl config current-context | ||
> kind-kind | ||
|
||
# Build the docker container for local development | ||
docker build . -t bwsm:development | ||
|
||
# Load the image into kind | ||
kind load docker-image bwsm:development | ||
|
||
# Create the namespace and bitwarden secrets manager secret | ||
kubectl create ns bwsm | ||
kubectl apply -f /path/to/bwsm_token.yaml # Example in examples/bws_token.yaml | ||
|
||
# Deploy the helm chart | ||
helm upgrade bwsm ./charts/bitwarden_secrets_manager_operator/ \ | ||
--namespace bwsm -f ./development/values.yaml \ | ||
--create-namespace --install | ||
|
||
# Apply a test bitwarden secret object | ||
kubectl apply -f /path/to/bwsm_secret_resource.yaml # Example in examples/bws_test_resource.yaml | ||
|
||
# Delete the kind cluster | ||
kind delete cluster | ||
``` | ||
|
||
### Commands for Easier Troubleshooting | ||
|
||
```bash | ||
# Follow the bwsm pod logs | ||
kubectl logs -n bwsm -f $(kubectl get pods -n bwsm -o json | jq -r '.items[0].metadata.name') | ||
``` | ||
|
||
## Frameworks | ||
|
||
These are the "frameworks" or projects that are utilized to make bitwarden secrets manager to function. | ||
|
||
- https://github.com/flant/shell-operator | ||
- https://github.com/helm/helm/ | ||
- https://github.com/bitwarden/sdk | ||
- https://github.com/kubernetes-sigs/kind | ||
|
||
## Disclaimer | ||
|
||
This project is in no way officially affiliated with the company Bitwarden. This is an | ||
FOSS project leveraging bitwarden's secrets manager. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj | ||
.vscode/ | ||
__snapshot__ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: v2 | ||
name: bwsm | ||
description: A Helm chart used to deploy a operator | ||
|
||
# A chart can be either an 'application' or a 'library' chart. | ||
# | ||
# Application charts are a collection of templates that can be packaged into versioned archives | ||
# to be deployed. | ||
# | ||
# Library charts provide useful utilities or functions for the chart developer. They're included as | ||
# a dependency of application charts to inject those utilities and functions into the rendering | ||
# pipeline. Library charts do not define any templates and therefore cannot be deployed. | ||
type: application | ||
|
||
# This is the chart version. This version number should be incremented each time you make changes | ||
# to the chart and its templates, including the app version. | ||
# Versions are expected to follow Semantic Versioning (https://semver.org/) | ||
version: 0.1.0 | ||
|
||
# This is the version number of the application being deployed. This version number should be | ||
# incremented each time you make changes to the application. Versions are not expected to | ||
# follow Semantic Versioning. They should reflect the version the application is using. | ||
# It is recommended to use it with quotes. | ||
appVersion: "v0.1.0" |
5 changes: 5 additions & 0 deletions
5
charts/bitwarden_secrets_manager_operator/templates/NOTES.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
Congratulations you have installed the bitwarden secrets manager operator! | ||
|
||
There is an assumption that you have already deployed the kubernetes secret used to authenticate | ||
to bitwarden secrets manager. To begin using this operator check the README.md for examples on | ||
how to declare a bitwarden secret manager secret. |
62 changes: 62 additions & 0 deletions
62
charts/bitwarden_secrets_manager_operator/templates/_helpers.tpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "bitwarden_secrets_manager_operator.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "bitwarden_secrets_manager_operator.fullname" -}} | ||
{{- if .Values.fullnameOverride }} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- $name := default .Chart.Name .Values.nameOverride }} | ||
{{- if contains $name .Release.Name }} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "bitwarden_secrets_manager_operator.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "bitwarden_secrets_manager_operator.labels" -}} | ||
helm.sh/chart: {{ include "bitwarden_secrets_manager_operator.chart" . }} | ||
{{ include "bitwarden_secrets_manager_operator.selectorLabels" . }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- end }} | ||
|
||
{{/* | ||
Selector labels | ||
*/}} | ||
{{- define "bitwarden_secrets_manager_operator.selectorLabels" -}} | ||
app.kubernetes.io/name: {{ include "bitwarden_secrets_manager_operator.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create the name of the service account to use | ||
*/}} | ||
{{- define "bitwarden_secrets_manager_operator.serviceAccountName" -}} | ||
{{- if .Values.serviceAccount.create }} | ||
{{- default (include "bitwarden_secrets_manager_operator.fullname" .) .Values.serviceAccount.name }} | ||
{{- else }} | ||
{{- default "bwsm-sa" .Values.serviceAccount.name }} | ||
{{- end }} | ||
{{- end }} |
30 changes: 30 additions & 0 deletions
30
charts/bitwarden_secrets_manager_operator/templates/bwsm-operator-deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
labels: | ||
{{- include "bitwarden_secrets_manager_operator.labels" . | nindent 4 }} | ||
name: {{ include "bitwarden_secrets_manager_operator.fullname" . }} | ||
namespace: {{ .Release.Namespace }} | ||
spec: | ||
replicas: {{ .Values.replicaCount }} | ||
selector: | ||
matchLabels: | ||
{{- include "bitwarden_secrets_manager_operator.selectorLabels" . | nindent 6 }} | ||
template: | ||
metadata: | ||
labels: | ||
{{- include "bitwarden_secrets_manager_operator.labels" . | nindent 8 }} | ||
spec: | ||
serviceAccountName: {{ include "bitwarden_secrets_manager_operator.serviceAccountName" . }} | ||
containers: | ||
- name: {{ .Chart.Name }} | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
resources: | ||
{{- toYaml .Values.resources | nindent 12 }} | ||
env: | ||
- name: BWS_ACCESS_TOKEN | ||
valueFrom: | ||
secretKeyRef: | ||
name: {{ .Values.bitwarden_secrets_manager_secret.name }} | ||
key: {{ .Values.bitwarden_secrets_manager_secret.key }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 6 additions & 0 deletions
6
charts/bitwarden_secrets_manager_operator/templates/serviceaccount.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ include "bitwarden_secrets_manager_operator.serviceAccountName" . }} | ||
namespace: {{ .Release.Namespace }} |
Oops, something went wrong.